Today the DHS ICS-CERT published an announcement that they have released version 7.1 of their Cyber Security Evaluation Tool (CSET). This marks a change in that in recent years the new version updates have only been announced in the next ICS-CERT Monitor.
According to the release notes the new version of the CSET includes:
• NIST SP800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations was added to CSET;
• NERC CIP compliance risk based priority list;
• Enhanced dashboard;
• Requirements organized according to standard: eg NERC CIP, CFATS, etc (including standards numbering scheme);
• Custom parameter values; and
• Doubled number of network components for network diagrams
There is no indication whether or not the CSAT standards have been updated with the specific requirements from the Chemical Facility Anti-Terrorism Standards (CFATS) Expedited Approval Program. The EAP process specifies particular security controls instead of the more general Risk Based Performance Standards used for the majority of Site Security Plans.
It does not look like the CSET Fact Sheet was updated for the new version of CSET since the Standards list does not include the new SP800-161 and it includes an old-style (2014) DHS email address for CSET.
The CSET Downloading and Installing web page was, however, updated as you can clearly see where they changed the CSET_x.x.iso to CSET_7.1.iso. It would have helped, though, if they had removed the old instructions for the ‘x.x’ situation.
It does appear that the old options for either downloading the CSET or requesting a disc from ICS-CERT remain in effect. Organizations also still have the option of running the CSET evaluation themselves or requesting an ICS-CERT team to help them with the process.